Appeals Court Rules That Violating Corporate Policy Is Not a Computer Crime

San Francisco - A federal appeals court today rejected a dangerous interpretation of the federal anti-hacking law, dismissing charges that would have criminalized any employee's use of a company's computers in violation of corporate policy.

The Electronic Frontier Foundation (EFF) filed an amicus brief in this case, U.S. v. Nosal, urging the court to come to this conclusion as part of its ongoing work to ensure fair application of the federal Computer Fraud and Abuse Act (CFAA).

"Basing criminal liability on violations of private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," said the opinion by Chief Judge Alex Kozinski of the 9th U.S. Circuit Court of Appeals.

In Nosal, the government prosecuted an ex-employee of an executive recruiting firm on the theory that he induced current company employees to use their legitimate credentials to access a proprietary database and provide him with information in violation of corporate computer-use policy. The government claimed that the violation of policy constituted a violation of the CFAA, a law with criminal penalties.

EFF argued in its amicus brief that turning mere violations of company policies into computer crimes could potentially create a massive expansion of the law – making millions of law-abiding workers criminals for innocent activities like sending a personal e-mail or checking sports scores from a work computer, and leaving them vulnerable to prosecution at the government's whim. The court agreed in an en banc decision, replacing a ruling last year in which a three-judge panel found that disloyal employees who breach computer use policies run afoul of the CFAA.

"We shouldn't have to live at the mercy of our local prosecutor," said the opinion. "Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they'd better not visit ESPN.com."

"This is an important victory for all Americans who use computers at work," said EFF Senior Staff Attorney Marcia Hofmann. "Violating a private computer use policy shouldn't be crime, just as violating a website's terms of use shouldn't be a crime. These policies are often vague, arbitrary, confusing and contradictory. Putting people on the hook for criminal liability when they violate these agreements would leave millions of law-abiding computer users vulnerable to federal prosecution."

"EFF has been fighting these aggressive government hacking arguments for years," said EFF Staff Attorney Hanni Fakhoury. "We're happy to see the court recognize that the government overreached here, and it issued a thoughtful decision that protects the rights of users."

Related Updates

Deputy Attorney General Rod Rosenstein delivered a speech on Tuesday about what he calls “responsible encryption” today. It misses the mark, by far. Rosenstein starts with a fallacy, attempting to convince you that encryption is unprecedented: Our society has never had a system where evidence of criminal wrongdoing was...

EFF, joined by Public Knowledge, filed an amicus brief today asking the Court of Appeals for the Federal Circuit to revisit one of its worst decisions ever. Three years ago this month, in Oracle v. Google, the Federal Circuit held that the Java Application Programming Interfaces...

This year was one of the busiest in recent memory when it comes to cryptography law in the United States and around the world. But for all the Sturm und Drang, surprisingly little actually changed in the U.S. In this post, we’ll run down the list of things that happened...

EFF staffers will spread the online freedom message at 2600 Magazine's biennial Hackers on Planet Earth (HOPE) conference from July 22 to July 24. The Eleventh HOPE will take place at the historic Hotel Pennsylvania in New York and host numerous presentations on such diverse topics as automobile software hacking...

Rhode Island legislators recently decided not to advance a bill that would have made that state’s bad “anti-hacking” law even worse. This is good news. But the struggle continues against other vague and overbroad computer crime laws. As EFF previously explained, this Rhode Island bill was a threat...

We are proud to announce the return of EFF's Badge Hack Pageant at the 24th annual DEF CON hacking conference in Las Vegas. EFF invites all DEF CON attendees to stretch their creative skills by reinventing past conference badges as practical, artful, and over-the-top objects of their choosing. The numerous...

Fort Belvoir, Virginia—The Electronic Frontier Foundation (EFF) asked a U.S. Army Court of Criminal Appeals Wednesday to overturn Chelsea Manning’s conviction for violating the Computer Fraud and Abuse Act (CFAA), arguing that the law is intended to punish people for breaking into computers systems—something Manning didn’t do. Manning...

San Francisco—The Electronic Frontier Foundation (EFF) will urge a federal appeals court Wednesday to reject Facebook’s claims that it’s a crime to workaround an IP address block—an interpretation of the law that could criminalize routine online behavior. EFF Legal Fellow Jamie Williams will participate in oral argument in the case...

At EFF we put security and privacy first. This means working hard at keeping our members and site visitors safe, as well as the people who use the software we develop. We also dedicate staff time to advising security researchers, maintaining resources like our Coders' Rights Project, and ...